Menu

Recently, my girlfriend forgot her Windows 10 password, locking her out of her almost-brand-new laptop. I took it as a personal challenge to break into the Windows security layer and extract her password. Resetting the password was not an option!

With Windows 10 Anniversary Update, things got tougher when it comes to cracking Windows password but after trying different approaches, I managed to do it. Here’s a guide to show you the steps to follow.

TLDR; We’ll be cracking Windows 10 password without admin access, and this method works with Windows 10 Anniversary Update!

Step 1 – Booting on a Live USB OS

Now you can boot on the ISO. To do so, turn off the computer you want to crack and plug-in the USB key. Then start the computer and enter the BIOS by pressing the F11 or DELETE key. Reorder devices in Boot Priority, putting your USB key on top.

You will probably have to enable Legacy Support in your BIOS.

Enabling Legacy Support in the BIOS.

You can then Save and exit (F10), and proceed to booting on the OS.

Step 2 – Accessing Windows file system

Once the live OS is loaded, open-up a file manager. Your WINDOWS partition might be available as read-only. If that’s the case, you can jump directly to Step 3.

You can deduce which device is the main Windows partition by looking the Size column. Here 118G is the one we’re looking for, as the SSD capacity is 128 GB.
Also, you might have multiple physical disks, so it’s up to you to choose the right one.

Where SYSTEM_export and SAM_export are the files we copied in the previous step.

Even if we can’t retrieve the actual Windows 10 password right now, the tool can provide us with its hash. It will list the available users and their respective hashes. Find the one you want to crack and you’re good to go to next part.

Part III – Cracking the hash

Now, we have to gather as much information as we can about the password we’re about to crack. By doing so, it will allow the cracking tool to go significantly faster.

You should first ask the owner of the device what kind of Windows password they usually use, in order to get a rough idea of its structure. If the password is not completely random, you can take advantage of a dictionary to leverage your brute-force power in a more clever way. With hashcat, this is called a hybrid attack.
For instance, in my case, the forgotten password was probably a common name, followed by a bunch of random-ish letters/numbers (ie: tomsdev54d). Assuming you stored the hash in phihash.txt and that you have a dictionary file phidict.log, here’s the hashcat command to match this kind of password:

hashcat64.exe -m 1000 -a 6 phihash.txt phidict.log ?a?a?a

If the dictionary contains “tomsdev”, the password will be cracked in less a minute and the result will be available in the following file hashcat.potfile!

Searching more efficiently

If we had to use brute-force to find this 10-characters password, it would have probably taken days. Instead, we’re searching for all combinaisons of “<dictionary word><up to 3 random characters>“. This is roughly equivalent in terms of complexity to a password length of 4. You can then tweak the pattern according to your needs (see hashcat documentation for more information).
For instance, you have to change the command to match a slightly different pattern:

Which dictionary should I use?

As I mentioned, this is completely up to the kind of password you want to crack. I recommend using at least a localized dictionary that matches the user’s mother-tongue.

But a better way of doing this is to build a custom dictionary with the user’s own word, names, places, nicknames, etc. That’s what I did using Facebook, and it worked wonders, saving me countless days of brainless brute-forcing and wasted GPU cycles.

Conclusion

I hope that this guide helped you retrieving your lost Windows password and that you had fun acting hacker-ish while doing it. Feel free to ask any questions in comments.

Retrieving lost Windows 10 password, using Kali Linux, mimikatz and hashcat was last modified: December 5th, 2017 by Tom Guillermin

Well in that case, part of the challenge was to actually find what the password was! But it surely is more simple via a password reset, if your goal is only to logon on whatever account. And I guess Microsoft will eventually fix this exe swapping exploit before changing the way they store passwords 😉
But thanks for sharing this alternative!